| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Identity Synchronization for Windows 6.0 Deployment Planning Guide |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Identity Synchronization for Windows 6.0 Deployment Planning Guide |
2. Case Study: Deploying in a Multimaster Replication Environment
3. Case Study: Deploying in a High-Availability Environment Over a Wide Area Network Using SSL
Global Telco Deployment Information
Installation and Configuration Overview
Primary and Secondary Installations
Periodically Linking New Users
Large Deployment Considerations
Increasing Connector Worker Threads
Aligning Primary and Failover Configurations
Setting Multiple Passwords for uid=PSWConnector
Initial idsync resync Operation
Initial idsync resync Operation for Primary Installation
Initial idsync resync Operation for Failover Installation
Periodic idsync resync Operations
Periodic idsync resync Operation for Primary Installation
Periodic idsync resync Operation for Failover Installation
Understanding the Failover Process
Initializing the Connector State
Failover Installation Maintenance
Stopping Synchronization at the Primary Installation
Starting Synchronization at the Failover Installation
Re-enabling the Directory Server Plugins
Changing the PDC FSMO Role Owner
Failing Back to the Primary installation
A. Pluggable Authentication Modules
B. Identity Manager and Identity Synchronization for Windows Cohabitation
Global Telco requires that all network traffic is encrypted, so SSL is used with trusted certificates for all LDAP connections. This setup includes connections between the following:
Directory Server Connector and the preferred and secondary directory server masters.
Active Directory Connector and the Active Directory domain controller.
Preferred and secondary directory server masters, and the Active Directory domain controllers for on-demand password synchronization.
All other masters and read-only replicas and the preferred and secondary directory server masters for on-demand password synchronization.
Companies typically use only a few Certificate Authorities (CA) to sign certificates, so the simplest approach to setting up SSL for Identity Synchronization for Windows is to add all CA certificates to every component’s certificate database. Global Telco uses two Certificate Authorities: one to sign their Directory Server certificates and one to sign their Active Directory certificates. Both these CA certificates are added to the certificate database of each connector and each directory server instance.
Note - The idsync certinfo command displays the steps for configuring SSL for Identity Synchronization for Windows components, based on the current configuration. It does not have access to each component’s certificate database, so it cannot determine if the steps have already been followed.
The output of this command is shown for the primary installation below. The output for the failover installation is identical except that the roles of the US and European machines is reversed.
bash-2.05# /opt/SUNWisw/bin/idsync certinfo -q <omitted password\> -w <omitted password\> Connector: CNN100 Installation Host: connectors-us Installation Path: /opt Certificate Database Location: /var/opt/SUNWisw/etc/CNN100 **The Directory Server Connector's certificate database must contain the CA certificate used to sign Directory Server's SSL certificate. If this certificate has not already been added to the connector's certificate database, please export the CA certificate and import into Directory Server Connector certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad1-us.gt.com:636 and import into Directory Server certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad2-us.gt.com:636 and import into Directory Server certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad3-eu.gt.com:636 and import into Directory Server certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server Connector's certificate database must contain the CA certificate used to sign the Directory Server's SSL certificate. If this certificate has not already been added to the connector's certificate database, please export the CA certificate and import into Directory Server Connector certificate database for server ldaps://master2-us.gt.com:636.
**The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad1-us.gt.com:636 and import into Directory Server certificate database for server ldaps://master2-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad2-us.gt.com:636 and import into Directory Server certificate database for server ldaps://master2-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad4-eu.gt.com:636 and import into Directory Server certificate database for server ldaps://master1-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad3-eu.gt.com:636 and import into Directory Server certificate database for server ldaps://master2-us.gt.com:636. **The Directory Server's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Directory Server's certificate database, please export the CA certificate from the Active Directory at ldaps://ad4-eu.gt.com:636 and import into Directory Server certificate database for server ldaps://master2-us.gt.com:636. Connector: CNN101 Installation Host: connectors-us Installation Path: /opt Certificate Database Location: /var/opt/SUNWisw/etc/CNN101 **The Active Directory Connector's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Active Directory Connector certificate database, please export the CA certificate from the Active Directory and import into Active Directory Connector's certificate database for server ldaps://ad1-us.gt.com:636.
**The Active Directory Connector's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Active Directory Connector certificate database, please export the CA certificate from the Active Directory and import into Active Directory Connector's certificate database for server ldaps://ad2-us.gt.com:636. **The Active Directory Connector's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Active Directory Connector certificate database, please export the CA certificate from the Active Directory and import into Active Directory Connector's certificate database for server ldaps://ad3-eu.gt.com:636. **The Active Directory Connector's certificate database must contain the CA certificate used to sign the Active Directory's SSL certificate. If this certificate has not already been added to the Active Directory Connector certificate database, please export the CA certificate from the Active Directory and import into Active Directory Connector's certificate database for server ldaps://ad4-eu.gt.com:636. SUCCESS
Setting Up SSL summarizes SSL communication between components in this installation, including trust requirements for the primary and failover installations.
Table 3-1 SSL Communication between Components
|
In this installation, Global Telco adds both the CA certificates to the certificate databases of the four connectors and eight directory servers.
Note - See the Sun Java System Directory Server Enterprise Edition 11.1.1 Installation Guide for detailed instructions on adding certificates to the certificate databases. The Directory Server and connectors must be restarted after the certificates have been added. The Directory Server must be restarted after the Identity Synchronization for Windows Plugin is installed, therefore, it is recommended that you add the CA certificates to the Directory Servers' certificate databases before the Identity Synchronization for Windows Plugin is installed.
|